coen 350
DESCRIPTION
COEN 350. Network Defense in Depth Firewalls. Terms of the Trade. Border Router First / last router under control of system administration. DMZ Demilitarized zone. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/1.jpg)
COEN 350
Network Defense in DepthFirewalls
![Page 2: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/2.jpg)
Terms of the Trade Border Router
First / last router under control of system administration.
DMZ Demilitarized zone. Security is low, since not
protected by firewall. Locate webservers and other services there that generate potentially unsafe traffic.
Firewall Filters packages based on a
variety of rules.
![Page 3: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/3.jpg)
Terms of the Trade IDS
Intrusion Detection System. NIDS: glean intrusion
signatures from traffic. HIDS: monitor activity at a
host on which they are located.
VPN Virtual private network
Screened subnet Area protected by an internal
firewall.
![Page 4: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/4.jpg)
Terms of the Trade Configuration Management
Known vulnerabilities account for most of actually perpetrated exploits.
For most of them, patches were available, but not installed.
CM tries to enforce uniform security policies.
Backdoors An entrance into the system
that avoids perimeter defenses.
![Page 5: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/5.jpg)
Defense in Depth
Rule 1: Multitude of security measures. Do not relay on one security
mechanism. Rule 2: Do not make security so
expensive / burdensome that you give legitimate users an incentive to circumvent security.
![Page 6: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/6.jpg)
Defense in Depth Example: External tcp packet passes:
Internet Perimeter Router Internet perimeter firewall DMZ firewall Network IPS NetFlow
Analyzes connections on network Antivirus on host Host IPS
![Page 7: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/7.jpg)
Firewalls Firewalls are perimeter defense:
Keep the bad stuff outside, enjoy life inside.
![Page 8: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/8.jpg)
Filtering Signature
Any distinctive characteristic that identifies something (with a high degree of probability)
Signature Types Atomic Signatures
Single packet, single event, single activity is examined.
Stateful Signatures State: Needed when analyzing multiple pieces
of information that are not available at the same time.
![Page 9: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/9.jpg)
Filtering Atomic vs. Stateful Signatures
LAND attack Attacker sends TCP-SYN packet with same source
and destination address. Caused TCP stacks to crash.
Can be discovered looking at a single packet. Search for string “etc/password” in a URL
Attacker fragments the packet so that the string is not in either fragment.
State is needed in order to recognize the attack.
![Page 10: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/10.jpg)
Filtering Signature Triggers
Pattern Detection Simple string search
Search for string “etc/passwords” ARP Protocol decoders search for string only in
protocol fields. ARP request with source address FF:FF:FF:FF:FF:FF
Anomaly Detection Traffic going to an unusual port. Protocol compliance for http traffic
Behavior Detection Abnormally large / small fragmented packets Search for RPC requests that do not initially utilize
the PortMapper
![Page 11: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/11.jpg)
Filtering
Signature Actions Generating an alert Dropping / preventing an activity Logging the activity Resetting a TCP connection Blocking future activity Allow activity
![Page 12: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/12.jpg)
Packet Filtering
Static Packet Filtering Allow or deny access to packets
based on internal characteristics.
access list 111 deny ip host 205.205.205.205.1 any
access list 111 permit tcp host 205.205.205.205.1 any
access list 111 deny icmp any any echo-request
access list 111 permit icmp any any packet-to-big
access list 111 deny icmp any any
Cisco extended ACL
![Page 13: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/13.jpg)
Static Packet Filtering
Difficult to design efficient rules. Easy to get the rules tables wrong and allow
bad traffic. Security risks
People can piggy-back bad messages in harmless ones.
http traffic is known to be used as a backdoor. Loki uses unused fields in normal TCP packets.
Fragmentation allows the filter to look only at a fragment
Most only look at the first fragment
![Page 14: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/14.jpg)
Static Packet Filtering
Configuring a packet filter: Security Policy: what is allowed, what
is not allowed. Allowable types of packets must be
specified logically, in terms of logical expression on packet fields.
Expressions need to be rewritten in the firewall vendor’s language.
![Page 15: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/15.jpg)
Static Packet Filtering Example
Security Policy: Allow inbound mail messages (SMTP, port 25),
but only to gateway. Block host faucet.
action Our host
port Their host
port comment
block * * faucet * We don’t trust these people.
allow OUR-GW
25 * * Connection to our SMTP server
![Page 16: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/16.jpg)
Static Packet Filtering Example
If no rule applies, then the packet is dropped. Without additional rules, our rule set would drop all
non-mail packets. There would also be no replies. Beware of a rule like this (intended to allow acks)
Based solely on outside host’s port number. Port 25 is usually the mail port. But there is no guarantee.
action Our host port Their host port comment
allow * * * 25 Connection to their SMTP
port
![Page 17: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/17.jpg)
Static Packet Filtering Example
Expand rule set to allow connection with the outside:
action Our host port Their host port Flag comment
block * * faucet *
allow OUR-GW 25 * *
allow (our host) * * 25 Our packets to their port
allow * 25 * * ACK Their replies
Specify the names of all machines allowed to send mail to the outside here.
![Page 18: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/18.jpg)
Static Packet Filtering
Combating Address Spoofing At a minimum:
Don’t allow inside source addresses coming in.
Don’t allow outside source addresses going out.
Block source routing at the border routers.
![Page 19: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/19.jpg)
Static Packet Filtering Routing Information
If a node is unreachable from the outside then the node is almost (but not quite) as safe as a node disconnected from the net.
Internal routers should not advertise paths to such nodes to the outside.
Filter routes learned from the outside: Protects against subversion by route confusion. Route squatting:
Use internal addresses that belong to a different domain. The nodes are de facto unreachable from the outside. Use non-announced addresses. (e.g. 10.x.x.x)
But beware, when companies merge, these addresses tend to be incompatible.
So pick addresses in unpopular address ranges.
![Page 20: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/20.jpg)
Static Packet Filtering Performance
Packet filtering is done at the border. No degradation for the internal network.
Typically, connection to ISP is the bottleneck.
However: Degradation depends on the number of
rules applied. Can be mitigated by careful ordering of
rules.
![Page 21: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/21.jpg)
Application Level Filtering Packet filters only look at
The source address The destination address TCP / UDP port numbers TCP / UDP flags.
Application filters deals with the details of the service they are checking. E.g. a mail application filter looks at
RFC 822 headers. MIME attachments. Might identify virus infected attachments.
![Page 22: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/22.jpg)
Application Level Filtering
Snort: Allows to set up rules that pass a
packet on to another service. Commercial firewalls
Include application level filters for many products.
Use non-disclosure agreement to obtain proprietary protocols
![Page 23: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/23.jpg)
Dynamic Packet Filtering Stateful Firewall Still look at each packet. Maintains a state of each connection.
Implements connection filtering. Dynamically adjust a filtering table of current
connections. Implementation
Adjust the filtering rules dynamically. E.g.: We started an HTTP connection to a given host. Now HTTP packages from that host are allowed.
OR: Terminate the connection at the firewall and then have the firewall call the ultimate destination (proxying).
![Page 24: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/24.jpg)
Proxy Firewalls Proxies act on behalf of a client. Proxy firewall
Reverse Proxy Receives packages on one card. Processes requests. Translates them into internal requests on other card. Receives answers from inside and translates to the
outside.
![Page 25: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/25.jpg)
Proxy Firewalls Proxy firewall
Forward Proxy Receives requests from the
inside. Processes requests. Translates them into requests to
the outside on other card. Receives answers from outside
and translates to the inside. Acts on behalf of inside machine
that is protected from the vagaries of the internet.
![Page 26: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/26.jpg)
Proxy Firewalls
Application level proxies work at the level of application.
Circuit-level proxies does not understand the application makes filtering decisions by validating
and monitoring sessions.
![Page 27: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/27.jpg)
Application Inspection
Dynamic Firewalls allow selective inspection of applications: http ftp dns icmp …
![Page 28: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/28.jpg)
Application Inspection
DNS example (Cisco ASA DNS inspection) Guarantees that the ID of the DNS
machine matches the ID of the DNS query
Allows translation of DNS packets using NAT
Reassembles DNS packets to verify its length.
![Page 29: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/29.jpg)
Application Inspection
SMTP (Cisco ASA protection) Protects against SMTP-based attacks
by restricting the types of SMTP commands.
Illegal command is modified and forwarded.
Typically, receiver replies with an SMTP error 500 (command not recognized)
Checks size, …
![Page 30: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/30.jpg)
Network Address Translation Originally designed to address the IPv4
address shortage: Use internal IP addresses
192.168.x.x 172.16.x.x, 172.32.x.x 10.x.x.x
NAT box is dual hosted: One connection to interior network Other connection to exterior network
with “overloaded” or “public” address
![Page 31: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/31.jpg)
Network Address Translation Internal host initiates TCP connection to
the outside. NAT box takes TCP package, replaces
source IP with its public IP, port with a port chosen for that connection
When reply return to NAT box, forwards package to internal host.
NAT uses stored connection data to determine the interior address
![Page 32: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/32.jpg)
Network Address Translation NAT increases security:
NAT hides host identities NAT hides weak sequence number
generating hosts by randomizing sequence numbers.
NAT disables inbound TCP connections NAT breaks most UDP protocols
NAT allow load balancing and transparent failover
![Page 33: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/33.jpg)
Network Address Translation
Full Cone NAT (one to one NAT) all requests from same internal IP
address and port are mapped to the same external IP address and port.
Allows external host to send package to the host by using the mapped external address.
![Page 34: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/34.jpg)
Network Address Translation
Restricted Cone NAT All requests from same internal IP
address and port are mapped to the same external IP address and port.
External host can only send package to internal host if the connection has already been established
![Page 35: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/35.jpg)
Network Address Translation
Port Restricted Cone NAT Like restricted cone NAT,
but only for certain port numbers Symmetric NAT
All request from the same internal IP address and port to a specific destination IP and port are mapped to a unique external source IP address and port.
If the same hosts sends to the same port, but another IP address, then a different mapping is used.
External host needs to receive a packet before sending a UDP packet back to the internal host.
In practice: combinations between these behaviors.
![Page 36: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/36.jpg)
Virtual Private Networks
![Page 37: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/37.jpg)
Virtual Private Networks
VPN uses connections over an existing public network
Connection secured with encryption Host to Host Host to Gateway Gateway to Gateway
![Page 38: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/38.jpg)
Virtual Private Networks
![Page 39: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/39.jpg)
Virtual Private Networks
Encryption can be done at Application level. Transport level. Network level. Data link level.
![Page 40: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/40.jpg)
Virtual Private NetworksVPN Technologies Application Level
Pretty Good Privacy Secure Shell (SSH)
Transport Level Secure Socket Layer
Does not protect the package, but its content. Typically runs at the application level of the OS, so OS does not need
to be changed. Network Level
IPSec Encrypts package itself. Encrypted package receives a new package header.
IPSec protects port address, but not destination address. OS need to be changed (but only once: Win2000, WinXP)
Data Link Layer 2 Tunneling Protocol addition to Point-to-Point protocol (PPP)
Encrypts packets on the data layer. L2TP (Layer 2 Tunneling)
![Page 41: COEN 350](https://reader036.vdocuments.net/reader036/viewer/2022081520/568159f0550346895dc73a32/html5/thumbnails/41.jpg)
Virtual Private Networks
Alternatives are dedicated point-to-point connections such as a private T1 line. Most secure. Most expensive. Takes time to set-up.